CN110572258B - Cloud password computing platform and computing service method - Google Patents
Cloud password computing platform and computing service method Download PDFInfo
- Publication number
- CN110572258B CN110572258B CN201910671174.3A CN201910671174A CN110572258B CN 110572258 B CN110572258 B CN 110572258B CN 201910671174 A CN201910671174 A CN 201910671174A CN 110572258 B CN110572258 B CN 110572258B
- Authority
- CN
- China
- Prior art keywords
- user
- resource management
- identity
- request
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1001—Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
- H04L67/1004—Server selection for load balancing
- H04L67/1008—Server selection for load balancing based on parameters of servers, e.g. available memory or workload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0866—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
- H04L9/0897—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a cloudA cryptographic computing platform and a computing service method. The method comprises the following steps: 1) starting up n physical cipherers to form a cipherer cluster connected to the resource management module; 2) synchronizing the master keys of the n cipherers to make them share the master key K of the ciphererm(ii) a 3) Sending the received key generation request to a cipher machine A; 4) k for cipher machine AmProcessing the user identity in the request to generate a corresponding user master key Ki(ii) a 5) Cipher machine A generates algorithm secret key AKiBy KiFor AKiEncrypting and sending the encrypted data to a resource management module; 6) when user i requests to perform calculation service j, the secret key [ AK ] is utilizedi]KiThe password machine B is added into a request of a user for requesting encryption and decryption or signing and checking and sending; 7) cipher machine B according to identity and K in requestmDecrypting to obtain KiBy using KiFor [ AKi]KiDecrypt and utilize AKiCompleting the computation service j.
Description
Technical Field
The invention relates to the field of network space security, in particular to a cloud password computing platform capable of performing resource management and a computing service method.
Background
Cloud computing: cloud computing is a mode of adding, using and delivering related services based on the internet, generally involving providing dynamic, easily expandable and often virtualized resources through the internet, and is a kind of distributed computing technology, the most basic concept of which is to automatically split a huge computing processing program into numerous smaller subprograms through a network, and then deliver the small subprograms to a huge system composed of multiple servers to search, compute and analyze, and then transmit the processing result back to a user.
The cryptographic computing device: the device provides cryptographic computation services such as symmetric/asymmetric encryption and decryption of data, data integrity verification, digital signature and verification, and generation of keys for users.
A memory database: the memory database is a database which directly operates by putting data in a memory as the name implies. Compared with a magnetic disk, the data read-write speed of the memory is higher by several orders of magnitude, and the application performance can be greatly improved by storing data in the memory compared with accessing from the magnetic disk. By using the memory database, the accurate control and resource scheduling of the flow can be realized on the premise of keeping high performance
The unified authentication architecture comprises: the unified authentication architecture is a general architecture, and provides a general authentication mechanism, which can use the mobile authentication infrastructure used when the user accesses the mobile network for access authorization control of new services, thereby avoiding providing a unique authentication mechanism for each new service. Both the mobile terminal and the service provider can obtain the latest trusted information (i.e. the identifier and the shared key) of each other through the unified authentication architecture, so that mutual authentication can be realized.
Cloud password service: the cloud password service combines the password service with a cloud computing platform, and dynamically expands the password operation capability by dispatching the encryption machine cluster, so that the password operation speed is greatly improved, the system stability is greatly enhanced, and the centralized, virtualized and transparent password operation service is better provided for users. The cloud password service can be applied to the fields of electronic commerce and electronic government with high security and high performance requirements, and the overall robustness, high efficiency and maturity of the system are improved; and the method can be applied to various clouds, centers and cloud nodes, solves the safety problems of local storage, network transmission, identity authentication, data integrity and the like of data, and prevents various fraudulent behaviors on the network from happening. The current password cloud service scheme runs a plurality of virtual password machines on one physical password machine through a virtualization technology, and has the advantages that the password operation capacity is flexibly cut, and the computing capacity of a single physical password machine determines the upper computing limit of the whole platform.
Disclosure of Invention
The invention discloses a novel cloud password computing platform and a computing service method. The cloud password computing platform comprises a physical password machine cluster, a resource management module, an access authentication module and a data storage module. The physical cipher machine provides cipher computing capacity for outside, and mainly comprises national ciphers sm2, sm3 and sm4 cipher operation, and uses self master keys, user master keys and algorithm keys to realize three-layer key system for protection, the access authentication module mainly confirms the identity of a cipher computing request party in a third party unified authentication mode, the data storage module stores various information to be stored, the resource management module is configured in a cloud cipher computing platform resource management server and used for abstracting the physical cipher machine into cipher computing capacity and virtualizing the physical cipher machine into a virtual cipher machine according to the computing capacity applied by a user, and the access authentication module and the data storage module are combined to perform resource scheduling, performance control, request forwarding and load balancing on the cipher computing request.
In addition, the invention also provides a method for providing password computing service for the outside through the resource management module by combining the physical password machine cluster and the data storage module, which comprises the following steps:
and the n physical cipher machines are started to form a physical cipher machine cluster which is connected to the resource management module.
Synchronizing the master keys of n physical cipherers by using the cipher protection card to share the master key K of the ciphererm(ii) a Simultaneous master key KmOnly exists in the cipher machine password protection card.
And thirdly, the resource management server receives the plurality of key generation requests and then sends the key generation requests to the idle physical cipher machine A for operation.
After receiving the key generation request sent by the resource management server, the physical cipher machine A firstly generates the user identity user in each key generation requestidUsing a master key KmProcessing and generating by using sm3Hmac algorithmUser master key K corresponding to useri。
Fifthly, the physical cipher machine A generates an algorithm key AK according to the calculation type in the requestiAnd use the user master key KiPair algorithm key AKiEncrypted to obtain [ AKi]Ki。
Sixthly, the key [ AK ] generated by the physical cipher cluster1]K1To [ AK ]i]KiAnd sending the i keys back to the resource management module, and storing the i keys in the database corresponding to the user identity.
When user i requests encryption/decryption or signature verification and other functions j, the resource management module takes out the key [ AK ] corresponding to the user i from the databasei]KiAnd adding the encrypted data into a request of a user for encryption and decryption or signature verification, and sending the encrypted data to the idle physical password machine B for calculation through a load balancing strategy.
Eighth, the physical cipher machine B uses the user according to the identity in the requestidAnd a master key KmGenerating the user master key K of the user i through sm3Hmac algorithmiUsing the user master key KiUtilize sm4 algorithm to request [ AKi]KiAnd (5) decrypting and carrying out password calculation to finish the calculation service j.
In addition, the invention also provides a method for the resource management module to collaboratively access the authentication module for authentication, which comprises the following steps:
the cloud user requests password computation from the resource management module.
The resource management module firstly judges whether the current user has a legal identity, and if not, an identity authentication data packet is returned to the cloud user, wherein the information in the identity authentication data packet comprises: client _ id indicates the identity of the resource management server, redirect _ uri indicates the address of the resource management server for receiving the user identity certificate issued by the unified authentication system, response _ type indicates the response format of the unified authentication system requested by the resource management server, scope indicates the range of the user authorization data requested by the resource management server, and nonce is a random number generated in each request.
Thirdly, the cloud user acquires the content returned by the resource management module, adds the user name ' username ' and the password ' into the content and forwards the content to the authentication module for authentication.
And fourthly, the unified authentication module analyzes the content of the data packet and returns a token to the cloud user after the user name and the password of the authenticated user pass, wherein the token is user data encoded in an jwt format, and the user data comprises a platform identity 'authence' used for marking the identity of the application requesting login, a unified authentication address 'issuer' used for marking the identity of the user certification system, a sub used for marking the identity of the user applying for the current time, the nonce in the request and other information, and a digital signature attached to the information.
And fifthly, the cloud user forwards the token to the resource management module.
And sixthly, the resource management module firstly extracts the digital signature in the token and checks the signature, and meanwhile, the token is checked to be consistent with the 'nonce' in the request.
If the authentication is passed, the resource management module extracts the user name 'username' as id (namely userId) and the identity 'tenant' of the tenant in the data storage moduleid"and so on as the input of the next step two, which is used to inquire the tenant identity.
The invention also provides a method for the resource management module to cooperate with the data storage module to check the user state and limit the speed of the password request. The speed limiting sub-steps are as follows:
the calculation type of the acquire key generation request "codeRequest".
Secondly, the request identity user is obtained according to the unified authentication processId"inquire about cloud user current state" cloud user identity. status ", and according to" identity. tenantid"query its tenant status" tenant identity status ". The current state refers to whether the current user can request calculation, and only has a yes state or a no state, and the status of the next tenant also only has a yes state or a no state, and refers to whether the tenant to which the user belongs is available.
Thirdly, obtaining the user's identity according to the unified authentication processIdThe ' and computing type ' codeRequest ' query redis database acquires the computing of the cloud userType Total speed quota "Algorithm. limit" and Current used speed "Algorithm. used".
If the current using speed is smaller than the total speed quota calculated by the cloud user in the type, the request (the request for encryption and decryption or signature verification) is allowed, the current using speed is updated, and otherwise, the request is rejected.
And fifthly, the speed limit module simultaneously and periodically queries speed use condition time limit algorithm, timevalid and once the time limit is found to be expired, the current use speeds calculated by all types of all users are cleared so as to limit the speed of the next second request.
In addition, in order to guarantee the credibility of the tenants and the subordinate access identities thereof in the actual password computing service process, the access authentication module verifies the identities by using an OpenId protocol in a third-party unified authentication mode, the resource management module performs load balancing control on the flow and performs speed limitation according to the speed quota of the cloud user, and after receiving the request packet of the cloud user, the resource management module performs format conversion on the request packet for requesting computing to the physical password machine cluster.
The invention has the advantages that:
the method and the system virtualize the cryptographic computing capability of the cryptographic computing equipment into resources and provide the resources for the cryptographic computing equipment, and simultaneously carry out reasonable and efficient resource management and scheduling on the cryptographic computing equipment, so that the cryptographic computing equipment can be used in the cloud, the special requirements of cloud computing on-demand computing, elastic expansion and multi-user are met, and the safety and the usability of the cryptographic computing equipment are improved.
Drawings
FIG. 1 is a system block diagram of the present invention.
Detailed Description
The present invention is described in further detail below with reference to the attached drawings.
As shown in fig. 1, the cloud cryptographic computing platform system of the present invention mainly includes four parts, namely, a physical cryptographic machine cluster, a resource management module, an access authentication module, and a data storage module.
The physical cipher machine provides cipher computing capability for outside, and mainly comprises cryptographic operations of national ciphers sm2, sm3 and sm4, and the cipher machine is used for mainly protecting a user master key, protecting an algorithm key by using the user master key, and protecting the cipher master key by using a key protection card, so that the safety of a computing platform is effectively guaranteed.
And the resource management module deployed on the resource management server controls and converts the password computing request of the cloud user according to the performance quota pre-allocated by the tenant, and forwards the password computing request to the physical password machine through a load balancing strategy to request actual password computing.
The access authentication module is responsible for identity authentication of the accessed cloud tenants and personnel under the tenants in a third party unified authentication mode.
The data storage module is mainly responsible for storing information of tenants and subordinates thereof and detailed information of the cipher machine and providing functions of query, addition, deletion and modification for the resource management module.
The invention provides a method for providing cryptographic service operation by a cloud cryptographic computing platform, which comprises the following steps:
the physical cryptographic engine loads the cryptographic calculation service.
And secondly, loading the resource management service by the resource management module, connecting the resource management service with the physical password machine, counting the computing capacity of the resource management service, and virtualizing the physical password machine into a cloud password machine with password computing capacity according to the computing capacity applied by the user.
And the resource management module is connected with a database of the data storage module, wherein the resource management module is mainly used for acquiring personal information of cloud tenants and cloud users subordinate to the cloud tenants.
And fourthly, starting the access authentication server as an access authentication module to provide a third party unified authentication function for the cloud password computing platform so as to authenticate the identity of the cloud user and the subordinate tenants thereof.
After the loading work is finished, the resource management module serves as a service module for providing password computing for the cloud platform, and password computing services with different types and performances are provided for cloud users according to different requests under the assistance of other modules.
And sixthly, the cloud user requests a password operation service from the resource management module, and firstly enters a unified authentication flow of the resource management server.
And seventhly, the resource management module receives the password calculation request packet of the cloud user, analyzes the request and then performs speed limit processing at first.
And after the speed limit processing is passed, the resource management module performs format conversion on the request packet to generate a request packet for actually requesting the physical cipher machine for cipher calculation.
And after the format conversion is finished, the resource management module sends the generated request packet to the physical cipher machine through a load balancing strategy.
After receiving the request packet, the cipher machine firstly generates a user master key through sm3hmac by using the cipher master key and the user identity 'userId', then decrypts the algorithm key 'keyBits' by using the user key through an sm4 decryption algorithm, and then performs cipher calculation.
And returning the result to the resource management module after the password computer completes the calculation, and sending the result to the cloud user by the resource management server.
And twelfth, completing the service.
Through the system and the method, the traditional password equipment providing the password service is uniformly managed and virtualized into a plurality of logically independent virtual password machines, so that the password service meets the special requirements of cloud computing on-demand distribution and multiple users, can be used in the environment of cloud computing, and ensures the safety of the password equipment.
It should be noted that, for the foregoing embodiment, for simplicity of description, the combination of some sequences of actions is described, but those skilled in the art should understand that the present application is not limited by the described actions, as some steps may be performed in other sequences or simultaneously according to the present application.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a ROM, a RAM, etc.
The above disclosure is only for the purpose of illustrating the preferred embodiments of the present invention, and it is therefore to be understood that the invention is not limited by the scope of the appended claims.
Claims (9)
1. A method of computing services, the steps comprising:
1) starting up n physical cipher machines to form a physical cipher machine cluster, and connecting the physical cipher machine cluster to a resource management module;
2) synchronizing the master keys of the n physical cipherers to make them share the master key K of the ciphererm;
3) After receiving the key generation request, the resource management server selects a physical cipher machine A from the physical cipher machine cluster; then sending the received key generation request to a physical cipher machine A for operation;
4) the user identity user in each key generation request of the physical cipher machine AidUsing a master key KmProcessing the key by using a key generation algorithm to generate a user master key K of the corresponding useri;
5) The physical cipher machine A generates an algorithm key AK according to the calculation type of the key generation requestiThen using the user master key KiPair algorithm key AKiEncrypted to obtain [ AKi]KiAnd sends it to the resource management module;
6) when a user i requests to perform a calculation service j, the resource management module utilizes a key [ AK ] corresponding to the user ii]KiAdding the encrypted data into a request of a user for encryption and decryption or signature verification and sending the encrypted data to a physical cipher machine B in a physical cipher machine cluster for calculation;
7) the physical cipher machine B uses the user according to the identity in the requestidAnd a master key KmThe user master key K of the user i is obtained by applying the key generation algorithm to decryptiUsing the user master key KiFor [ AK in requesti]KiDecrypt and utilize AKiCompleting the computation service j.
2. The method as claimed in claim 1, wherein in step 3), after receiving the key generation request, the resource management server first authenticates the user who sent the key generation request, and if the authentication is passed, selects a physical cryptographic engine a from the physical cryptographic engine cluster.
3. The method of claim 2, wherein the method of authenticating the user who issued the key generation request is:
31) the resource management server judges whether the current user has a legal identity or not, and if not, an identity authentication data packet is returned to the user; wherein, the information in the identity authentication data packet comprises: the resource management server identifies client _ id, is used for receiving the address redirect _ uri of the user identity certificate issued by the unified authentication system, the response format response _ type of the unified authentication system requested by the resource management server, the range scope of the user authorization data requested by the resource management server, and the random number nonce;
32) the user sends the user name username and the password of the user to the unified authentication system for authentication according to the response format response _ type;
33) the unified authentication system returns a token to the user after passing the authentication of the user name and the password of the user, wherein the information in the token comprises an identity identification audrience requesting for logging in the application, an identity identification issuer issuing a user credential system, an identity identification sub of the user and a random number nonce, and is accompanied with a digital signature of the information;
34) the user forwards the token to the resource management module;
35) the resource management module checks the token and checks whether the random number nonce in the token is consistent with the random number nonce in the identity authentication data packet; if the two are consistent, the authentication is passed.
4. The method of claim 3, wherein after the authentication is passed, the resource management module extracts a user name username of the user to query the current state of the user; and from a unified authentication systemObtaining the tenant identity of the user in the systemidAccording to the tenant identity tentatidQuerying the tenant state; then according to the user identity useridAnd the calculation type codeRequest queries the total speed quota and the current used speed of the calculation type of the user; if the current used speed is less than the total speed quota calculated by the user in the type, allowing the request to encrypt and decrypt or sign the request for checking the signature, updating the current used speed, and then performing step 7); otherwise, the request for encryption and decryption or signature verification is refused.
5. The method of claim 1, wherein the master keys of n physical crypto-engines are synchronized by using a crypto-protection card to share crypto-engine master key Km; and the master key Km only exists in the cipher machine password protection card.
6. A cloud password computing platform is characterized by comprising a physical password machine cluster consisting of n physical password machines, a resource management module and a resource management server; wherein, the n physical cipherers share cipher master key Km;
The resource management server is used for selecting a physical cipher machine A from the physical cipher machine cluster after receiving the key generation request; then sending the received key generation request to a physical cipher machine A for operation;
a physical cryptographic engine for generating the user identity user in the request for each keyidUsing a master key KmProcessing the key by using a key generation algorithm to generate a user master key K of the corresponding useri(ii) a And generating an algorithm key AK according to the calculation type of the key generation requestiThen using the user master key KiPair algorithm key AKiEncrypted to obtain [ AKi]KiAnd sends it to the resource management module; and according to the identity of the user in the requestidAnd a master key KmThe user master key K of the user i is obtained by applying the key generation algorithm to decryptiUsing the user master key KiFor [ AK in requesti]KiDecrypt and utilize AKiCompleting the computation service j;
a resource management module for storing the received [ AK ]i]Ki(ii) a And when the user i requests to calculate the service j, utilizing the key [ AK ] corresponding to the user ii]KiAnd adding the encrypted data into a request of a user for encryption and decryption or signature verification and sending the encrypted data to a physical cipher machine B in the physical cipher machine cluster for calculation.
7. The cloud computing platform of claim 6, further comprising an authentication module; after receiving the key generation request, the resource management server firstly authenticates the user sending the key generation request, and the method comprises the following steps: the resource management server judges whether the current user has a legal identity or not, and if not, an identity authentication data packet is returned to the user; wherein, the information in the identity authentication data packet comprises: the resource management server identifies client _ id, is used for receiving the address redirect _ uri of the user identity certificate issued by the unified authentication system, the response format response _ type of the unified authentication system requested by the resource management server, the range scope of the user authorization data requested by the resource management server, and the random number nonce; then receiving a user name username and a password sent by a user according to the response format response _ type; the authentication module returns a token to the user after authenticating the user name and the password of the user, wherein the information in the token comprises an identity identification audrience requesting to login an application, an identity identification issuer issuing a user credential system, an identity identification sub of the user and a random number nonce, and a digital signature of the information is attached; then the resource management module receives the token sent by the user, and checks whether the random number nonce in the token is consistent with the random number nonce in the identity authentication data packet after the token is checked to pass; if the two are consistent, the authentication is passed.
8. The cloud computing platform of claim 7, further comprising a rate limit module; after the authentication is passed, the resource management module extracts a user name username of the user to inquire the current state of the user; speed limiting dieThe block obtains the tenant identity tentant of the user from the unified authentication systemidAccording to the tenant identity tentatidQuerying the tenant state; then according to the user identity useridAnd the calculation type codeRequest queries the total speed quota and the current used speed of the calculation type of the user; if the current used speed is smaller than the total speed quota calculated by the user in the type, allowing the request to encrypt and decrypt or sign the request for checking the signature, and updating the current used speed; otherwise, the request for encryption and decryption or signature verification is refused.
9. The cloud computing platform of claim 6, wherein master keys of n physical crypto machines are synchronized using the crypto protection card to share crypto master key Km; and the master key Km only exists in the cipher machine password protection card.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910671174.3A CN110572258B (en) | 2019-07-24 | 2019-07-24 | Cloud password computing platform and computing service method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910671174.3A CN110572258B (en) | 2019-07-24 | 2019-07-24 | Cloud password computing platform and computing service method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110572258A CN110572258A (en) | 2019-12-13 |
CN110572258B true CN110572258B (en) | 2021-12-14 |
Family
ID=68773803
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910671174.3A Active CN110572258B (en) | 2019-07-24 | 2019-07-24 | Cloud password computing platform and computing service method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110572258B (en) |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111245813B (en) * | 2020-01-07 | 2022-04-29 | 北京数字认证股份有限公司 | Cryptographic resource pool system, encryption method, electronic device, and storage medium |
CN113821305B (en) * | 2021-09-15 | 2023-02-10 | 中电信数智科技有限公司 | Cloud password service calling method based on Docker and middleware system |
CN114741169B (en) * | 2022-03-30 | 2024-02-13 | 天津大学 | Multi-task scheduling method for heterogeneous password computing service of load aggregation public service platform |
CN114866346B (en) * | 2022-07-06 | 2022-09-13 | 北京神州安付科技股份有限公司 | Password service platform based on decentralization |
CN115189896B (en) * | 2022-09-13 | 2023-01-03 | 中安网脉(北京)技术股份有限公司 | Virtual cloud password service system and method |
CN117077123A (en) * | 2023-08-18 | 2023-11-17 | 长春吉大正元信息技术股份有限公司 | Service processing method and device for multiple password cards and electronic equipment |
CN116893903B (en) * | 2023-09-11 | 2023-12-08 | 北京格尔国信科技有限公司 | Encryption resource allocation method, system, equipment and storage medium |
CN117527220B (en) * | 2023-11-20 | 2024-07-02 | 江苏新质信息科技有限公司 | Cloud password service method and system |
Family Cites Families (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080253308A1 (en) * | 2003-10-22 | 2008-10-16 | Speedus Corp. | Wireless Broadband Licensed Networking System for Local and Wide Area Networking |
US8862878B2 (en) * | 2010-11-19 | 2014-10-14 | International Business Machines Corporation | Authentication and authorization of a device by a service using broadcast encryption |
US9774581B2 (en) * | 2012-01-20 | 2017-09-26 | Interdigital Patent Holdings, Inc. | Identity management with local functionality |
CN103634339A (en) * | 2012-08-22 | 2014-03-12 | 中国银联股份有限公司 | Virtual encryptor device, financial encryptor and method of encrypting message |
CN103297428B (en) * | 2013-05-20 | 2016-04-27 | 南京邮电大学 | A kind of cloud storage system data guard method |
CN104202421A (en) * | 2014-09-19 | 2014-12-10 | 浪潮电子信息产业股份有限公司 | Password service system based on cloud computing |
US10104084B2 (en) * | 2015-07-30 | 2018-10-16 | Cisco Technology, Inc. | Token scope reduction |
CN105072180B (en) * | 2015-08-06 | 2018-02-09 | 武汉科技大学 | A kind of cloud storage data safety sharing method for having permission time control |
CN105678156B (en) * | 2016-01-04 | 2019-06-28 | 成都卫士通信息产业股份有限公司 | A kind of cloud cryptographic service platform and its workflow based on virtualization technology |
CN205427860U (en) * | 2016-03-12 | 2016-08-03 | 福建博士通信息有限责任公司 | Finance encryption equipment |
CN106603243B (en) * | 2016-04-08 | 2020-06-16 | 数安时代科技股份有限公司 | Private key processing method and device for digital signature |
CN107040589B (en) * | 2017-03-15 | 2019-10-25 | 西安电子科技大学 | The system and method for cryptographic service is provided by virtualization encryption device cluster |
CN107483191B (en) * | 2017-08-16 | 2020-04-14 | 浪潮集团有限公司 | SM2 algorithm key segmentation signature system and method |
CN108259175B (en) * | 2017-12-28 | 2020-12-11 | 成都卫士通信息产业股份有限公司 | Distributed password service method and system |
CN108306972A (en) * | 2018-02-06 | 2018-07-20 | 山东渔翁信息技术股份有限公司 | A kind of cloud cryptographic service method, platform, system and computer readable storage medium |
CN108429735A (en) * | 2018-02-11 | 2018-08-21 | 众算(上海)数据科技有限公司 | A kind of data ciphering method |
CN109525544B (en) * | 2018-06-01 | 2021-08-13 | 中央军委后勤保障部信息中心 | Business system access method and system based on cipher machine cluster |
-
2019
- 2019-07-24 CN CN201910671174.3A patent/CN110572258B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN110572258A (en) | 2019-12-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110572258B (en) | Cloud password computing platform and computing service method | |
CN112989415B (en) | Private data storage and access control method and system based on block chain | |
CN111488598B (en) | Access control method, device, computer equipment and storage medium | |
US10516527B1 (en) | Split-key based cryptography system for data protection and synchronization across multiple computing devices | |
CN112580102A (en) | Multi-dimensional digital identity authentication system based on block chain | |
CN111212084B (en) | Attribute encryption access control method facing edge calculation | |
EP3596680A1 (en) | Methods and systems for universal storage and access to user-owned credentials for trans-institutional digital authentication | |
CN103780607B (en) | The method of the data de-duplication based on different rights | |
CN103259663A (en) | User unified authentication method in cloud computing environment | |
US8977857B1 (en) | System and method for granting access to protected information on a remote server | |
CN101405759A (en) | Method and apparatus for user centric private data management | |
CN101834853A (en) | Method and system for sharing anonymous resource | |
Liu et al. | EMK-ABSE: Efficient multikeyword attribute-based searchable encryption scheme through cloud-edge coordination | |
CN111241492A (en) | Product multi-tenant secure credit granting method, system and electronic equipment | |
Rana et al. | Secure and ubiquitous authenticated content distribution framework for IoT enabled DRM system | |
Guo et al. | Using blockchain to control access to cloud data | |
Khan et al. | A brief review on cloud computing authentication frameworks | |
Chen et al. | A self-sovereign decentralized identity platform based on blockchain | |
CN115021927B (en) | Administrator identity management and control method and system for cryptographic machine cluster | |
Hammami et al. | Security issues in cloud computing and associated alleviation approaches | |
CN117879819B (en) | Key management method, device, storage medium, equipment and computing power service system | |
Li et al. | Searchable Proxy Re-Encryption Data Sharing Scheme Based on Consortium Chain | |
Xie et al. | A blockchain-based proxy oriented cloud storage public audit scheme for low-performance terminal devices | |
Wu et al. | Verified CSAC-based CP-ABE access control of cloud storage in SWIM | |
AU2021106271A4 (en) | A method for secured data sharing in an untrusted cloud storage |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |